perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carl Johnstone" <modp...@fadetoblack.me.uk>
Subject Re: X_FORWARDED_FOR original IP
Date Fri, 03 Aug 2007 13:09:57 GMT
> No.Here both PHP and CGI scripts can get the X_FORWARDED_FOR ip,but
> modperl can't.Is the %ENV hash not useful under modperl?

mod_perl is not CGI.

With mod_perl your perl interpreter is part of the apache process itself. So 
making apache set up the environment is a waste of time, you can just access 
*anything* you want within apache internally.

You shouldn't use X-Forwarded-For for this purpose:

1) You can't trust the header! Anybody could make requests from your system 
and set a bogus X-Forwarded-For header and therefore feed fake IPs into your 
system. You have a major security problem is you rely on this for any access 
control, and any auditing process will have fake information.

2) Multiple clients may use the same internal IP ranges. So you'll get 
addresses 192.168.0.173 from clients on both Client A's network and on 
Client B's network.

All you can do is use the public IP you are receiving, and leave it to your 
clients to figure out which internal user it was from their own internal 
proxy logs.

The only time it would be safe to use X-Forwarded-For would be when there 
*always* is a proxy server that you control (for example a reverse proxy).

Carl


Mime
View raw message